Another day, another major breach of credit card data. And this one is a doozy. The payment processor Heartland Payments Systems released a statement on January 20th that they had suffered a breach and an unknown number of credit card accounts had been compromised. Heartland is the 5th largest payment processor in the world, with over 250,000 customers and handling over 100 million transactions per month. It is likely this breach will result in the compromise of more accounts than the infamous TJX breach of 2006 in which approximately 95 million card accounts were exposed.

It appears this hack was a result of poor endpoint security and a lack of encryption of data in motion. I will start by stating that Heartland was in compliance with the PCI DSS and had been audited in April of 2008. That being said, PCI DSS compliance does not guarantee that data is secure. It is a good starting point, but more can and should be done, to ensure the protection of cardholder data.

Back to the Heartland hack; according to the information I have read so far, it appears that some number of systems in their cardholder data environment became infected with spyware that was able to sniff credit card account information while being transmitted over the network. If this is true, it validates my belief that endpoint security is often times the weakest link in the enterprise security environment. I have no doubt that these systems had anti-virus software installed. However, anti-virus software is only as good as their signature database and most are woefully inadequate at detecting malware, especially custom malware. In environments with high security concerns, it is appropriate to utilize application whitelisting utilities that allow only those applications that are specifically defined to execute. These utilities don’t rely on signtures and significantly reduces the threat of malware.

The other problem in the Heartland environment was the fact that credit card data was being transmitted between them and the card companies in clear text. The reason this was not highlighted as a violation of the PCI DSS is because many payment processors use dedicated leased lines to the payment brands, which is often cited as a compensating control for the use of encryption. Clearly, this is a weak compensating control that allows for unfettered access to information on the network in the event that a workstation or server is compromised. Best practice would dictate that account numbers should be encrypted over the network, which is easily achievable with a variety of methods. Defense in depth is lesson to be learned here.

Finally, it appears that Heartland did not have very strong logging and monitoring controls in place as they did not detect the malware themselves. They were notified by Visa and Mastercard of suspicious activity coming from their network. Once notified, Heartland took nearly two months to disclose the breach. It appears their handling of this incident may be in violation of several state laws. If the scope of the breach is as large as is being reported, Heartland may end up spending $100 million dollars or more to deal with this incident. They are already facing a lawsuit as a result of the incident. This is far more money than it would have cost to secure their endpoints and encrypt data in motion. Look for the PCI DSS to be amended as a result of this incident to address these issues.